Web content filtering made easy

This post is dedicated to the Children of Ubuntu

As a parent you might wish to restrict your children(s) access to certain web sites (pr0n). In this tutorial I will demonstrate how to do this as easily as possible, without the need to manually maintain white and black lists. The combined use of dansguardian + privoxy is easy to configure and a few “simple” iptables rules lock down the web access.

The key thing to understand is dansguardian needs another proxy server. Most tutorials use squid, which although full featured, IMO squid is complex and a bit of over kill.

Privoxy is easier than squid to configure and has additional features including privacy and ad blocking capabilities.

As an alternate to this tutorial you could consider or squid + dansguardian. This option does not offer either the ad blocking or privacy of Privoxy, although you may add SquidGuard. IMO, squid is both a bit of overkill and takes more time to configure.

The second line allows privoxy to connect to ports 80 and 443
The third line blocks everyone but privoxy

The forth line allows dansguardian to connect to privoxy.
The fifth line allows bodhi (parents) to connect to privoxy thus circumventing dansguardian.
Obviously change to “bodhi” to your log in name, and add additional users if needed, one per line, before you add the last “DROP” line.

The last line blocks all other connections to privoxy.

Parents can surf the web, with adblock, but without dansguardian by pointing firefox to port 8118
Children can surf the web + adblock + dansguardian by pointing firefox to port 8080

Obviously parents and children should have unique login accounts.

Setp 6: Configure your iptables settings to be active at boot

Iptables – Use this section if you DO NOT use UFW

Save your settings:

sudo bash -c “iptables-save > /etc/dansguardian/iptables.save”

Using any editor, open /etc/rc.local and add the following line (above exit 0)

73 Responses to Web content filtering made easy

@Bob – yes you can do that, you have to allow the owner/group access. If it is not working either you have the owner / group wrong or you need to add a rule earlier in iptables (order of your rules is important).

Seem to have got this working now. For anyone interested: I flushed the iptables, then created a new group “sudo addgroup gpodder” followed by “sudo usermod child_username -G gpodder” , then added the gpodder application to this new group: “sudo chgrp gpodder /usr/bin/gpodder”. Now after your second line of iptables commands I did ” sudo iptables -A OUTPUT -p tcp -m multiport –dports 80,443 -m owner –gid-owner gpodder -j ACCEPT” to allow access to this gpodder group and it seemed to work. I can’t see why setting the http_proxy variables for gpodder method didn’t work for gpodder, but there you go.

@bodhi.zazen one thing I don’t understand is why that line works for privoxy out of the box? Why doesn’t one have to create a group for privoxy to employ that line? also why uid (user id) not gid (group id), I mean privoxy is not a user…so why does “uid-owner privoxy” work?

My kids are now old enough that I don’t need dansguardian and privoxy now.
I used your settings including transparency and speding up privoxy.
How do I completely uninstall dansguardian and privoxy please.

I’m a newb to Linux, but I’m not afraid of a command-line. (Ah, the good old days of starting apps from DOS batch files…) Anyway, since resurrecting my old XP laptop with Kubuntu, I had been looking for a content filter so my kids would stay safe. These directions nailed it! I can still get to my regular geek and science sites and yet allow my kids free reign. Your directions worked like magic. And best of all, unlike that bloated OS from Redmond, I didn’t have to reboot to make it work! Thank you!

Yes bodhi you were right; while copying – pasting in my console, the two dashes (–) somehow turned into one long dash and this caused the problem.
Please allow me a couple of questions on your setup.
1. You are mentioning at the beginning of your tutorial that: “dansguardian needs another proxy server”. Nonetheless, when parents are using the computer, they must “connect to privoxy in order to circumvent dansguardian”??? (according the fifth line iptables rule). So privoxy allows circumventing dg and does not just simply support dg usage? (given that the later needs a proxy). And when children (the corresponding user) connect, shouldn’t they go on the web THROUGH privoxy?
2. The second iptables rule (sudo iptables -A OUTPUT -p tcp -m multiport –dports 80,443 -m owner –uid-owner privoxy -j ACCEPT) what exactly does it do? It allows privoxy to connect to REMOTE (?) ports 80, 443? (I am saying REMOTE – other hosts) given that I see it is in the OUTPUT chain. If it had to do with the local ports 80 and 443, shouldn’t we have specified the lo interface?

@The Greek – Yes , dansguardian does not directly access the internet, so you need a second proxy to access web pages, privoxy in this example.

Everyone but root uses a proxy. Priviliged users use privoxy only and the content is unfiltered. Unpriviliged users use dans which then in turn uses privoxy. dans then filters the content and delivers the filtered result to firefox (or other web browser).

Does Privoxy + Dansguardian need to be configured with individual web browsers? (Has IKG’s issue been adressed?) I ask because I’m looking for parental controls that cannot be modified/removed without a password. “reset firefox” does not need a password and renders all addons useless for advanced users.